Ever wondered how neglecting a cybersecurity risk analysis is like leaving your front door wide open in a sketchy neighborhood? Well, buckle up because today we dig into the latest OCR ransomware settlement involving Heritage Valley Health Systems and a laundry list of potential violations. From failing to conduct a thorough risk analysis to lacking a proper contingency plan for ransomware attacks to neglecting to train their workforce on policies and procedures, this is a cautionary tale of what happens when cybersecurity isn’t taken seriously.
In this episode:
OCR Ransomware Settlement – Ep 468
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
Change All Passwords Now
[02:21] RockYou2024: 10 billion passwords leaked in the largest compilation of all time | CybernewsThey will be using this in their brute force attacks. Especially, anything without an MFA set up on it must be changed because there are just too many to risk it.
Kaspersky Ban
[05:57] U.S. announces ban on antivirus software from a Russia-based cybersecurity company : NPRThey insist they are secure and safe to use but they are not the ones that have control of everyone and everything that happens with their systems.
OCR Ransomware Settlement
[08:26] We know more are coming and we know they are going to focus on the entities who have failed to do a complete and thorough risk assessment that included a ransomware attack. There is no doubt we need to have these done and no doubt they have not been done effectively in many organizations for years. This the latest example of how it isn’t just the tiny offices not doing it. The patients who can’t get treatment plus have their information exposed pay the price. Then, the community and then the businesses themselves. This is probably at the very end of the find out stage for them.Director’s statement:
“Hacking and ransomware are the most common type of cyberattacks within the health care sector. Failure to implement the HIPAA Security Rule requirements leaves health care entities vulnerable and makes them attractive targets to cyber criminals,” said OCR Director Melanie Fontes Rainer. “Safeguarding patient protected health information protects privacy and ensures continuity of care, which is our top priority. We remind and urge health care entities to protect their records systems and patients from cyberattacks.”
Heritage Valley Health System (Heritage Valley), which provides care in Pennsylvania, Ohio and West Virginia signed the agreement in February but we are just now getting the official announcement of the settlement.
This one goes way back to an attack from Oct 2017. OCR notified the health system they were opening a compliance review before even getting a notice of a data breach from them about a ransomware attack. It was in the news! We tell you they read the news. From the settlement:
On October 31, 2017, OCR initiated a compliance review of HVHS after media reports that HVHS had experienced a data security incident.
In the announcement they said:
OCR’s investigation revealed multiple potential violations of the HIPAA Security Rule, including failures by Heritage Valley to: conduct a compliant risk analysis to determine the potential risks and vulnerabilities to electronic protected health information in its systems; implement a contingency plan to respond to emergencies, like a ransomware attack, that damage systems that contain electronic protected health information; and implement policies and procedures to allow only authorized users access to electronic protected health information.
Under the terms of the resolution agreement, Heritage Valley agreed to pay $950,000 and implement a corrective action plan that will be monitored by OCR for three years. Under the plan Heritage Valley will take a number of steps to resolve potential violations of the HIPAA Security Rule and protect the security of electronic protected health information, including:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information;
- Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis;
- Review and develop, maintain, and revise, as necessary its written policies and procedures to comply with the HIPAA Rules; and
- Train their workforce on their HIPAA policies and procedures.
In the reminder for everyone section here is the list of things you should make sure you are doing to protect your organization from attacks as best as possible.
[21:50] OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- [27:00] Utilize multi-factor authentication to ensure only authorized users are accessing electronic protected health information (ePHI).
- Encrypt ePHI to guard against unauthorized access to ePHI.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide training specific to organization and job responsibilities and on a regular basis; reinforce workforce members’ critical role in protecting privacy and security.
Have your ducks in a row folks. If you do get hit you better start making a long list of things to gather as you go. The review will be happening and you want to show them you are doing all the things needed to prevent if possible and mitigate any damage that could occur. You want these things to get cleared as soon as possible because as they drag along this kind of situation could happen and you become the example for the whole sector to learn from, not just learning from your own review.
Maybe this is why we have been told the CIGNA just automatically adds ID theft protection when you get on a new group health plan.
The OCR ransomware settlement sheds light on just how crucial it is for everyone to stay on their HIPAA game – whether you’re running the show or partnering up. So, make it a habit to conduct regular risk analyses, train your team like pros, and never turn a blind eye to those contracts. Remember, HIPAA isn’t just about ticking boxes; it’s about safeguarding patient care.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
